Bug#539246: apache2: Incorrect password check with CRYPT

To: "Alexander Over" <info@quadrat4.de>
Cc: control@bugs.debian.org, 539246@bugs.debian.org
Subject: Bug#539246: apache2: Incorrect password check with CRYPT
From: "Stefan Fritsch" <sf@sfritsch.de>
Date: Thu, 30 Jul 2009 14:34:15 +0200 (CEST)
Message-id: <[🔎] 55275.194.224.98.149.1248957255.squirrel@www.sfritsch.de>
Reply-to: "Stefan Fritsch" <sf@sfritsch.de>, 539246@bugs.debian.org
In-reply-to: <20090730062759.10945.86096.reportbug@home.quadrat4.de home>
References: <20090730062759.10945.86096.reportbug@home.quadrat4.de home>

reassign apache2-utils
retitle htpasswd should use a more secure password hash by default
severity wishlist
thanks

> If you create a User/Password combination with htpasswd using the default
> CRYPT encryption and a password with more than 8 chars, the Website still
> gets you access by typing in the first 8 chars or the complete password.

As you already have found out, this is a well known and documented
property of the crypt hash. Users may use a different, more secure hash if
they want to, but the default should probably be changed, too. However, I
am not sure if it would be a good idea to deviate from upstream here. I
have asked upstream if they want to change it, let's see what they answer.

Reply to:

References:
- Bug#539246: apache2: Incorrect password check with CRYPT
  - From: Alexander Over <info@quadrat4.de>

Prev by Date: Bug#539246: (kein Betreff)
Next by Date: Processed: reassign 539246 to apache2-utils ..., severity of 539246 is wishlist
Previous by thread: Bug#539246: apache2: Incorrect password check with CRYPT
Next by thread: Bug#539246: (kein Betreff)
Index(es):
- Date
- Thread